id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
7263	Don't check that user has entered e-mail instead of username	Valera Grishin	nobody	"Current django/trunk/contrib/admin/views/decorators.py has function staff_member_required which checks whether user supplied an e-mail address instead of username in the login form.

If so and e-mail is found in the user database it will suggest (via error message) the user to use username instead. The error message will also show the username found by given e-mail.

Here is the code in the staff_member_required function:
{{{
        if user is None:
            message = ERROR_MESSAGE
            if '@' in username:
                # Mistakenly entered e-mail address instead of username? Look it up.
                users = list(User.objects.filter(email=username))
                if len(users) == 1:
                    message = _(""Your e-mail address is not your username. Try '%s' instead."") % users[0].username
                else:
                    # Either we cannot find the user, or if more than 1 
                    # we cannot guess which user is the correct one.
                    message = _(""Usernames cannot contain the '@' character."")
            return _display_login_form(request, message)
}}}

This feature actually works as lookup and partially uncovers sensitive information. It can be used to:
* check whether certain e-mail exists (at all)
* check whether certain e-mail is registered (on certain site)
* find username by e-mail

In order to solve this issue the logic can be simplified as follows:
{{{
        if user is None:
            message = ERROR_MESSAGE
            if '@' in username:
                message = _(""Usernames cannot contain the '@' character."")
            return _display_login_form(request, message)
}}}

Corresponding patch is attached."		closed	contrib.admin	dev		fixed	nfa-blocker		Accepted	1	0	0	0	0	0